Critical infrastructure

Critical infrastructure, or critical national infrastructure (CNI) in the UK, describes infrastructure considered essential by governments for the functioning of a society and economy and deserving of special protection for national security. Critical infrastructure has traditionally been viewed as under the scope of government due to its strategic importance, yet there's an observable trend towards its privatization, raising discussions about how the private sector can contribute to these essential services.

Items
Most commonly associated with the term are assets and facilities for:
 * Shelter; Heating (e.g. natural gas, fuel oil, district heating);
 * Agriculture, food production and distribution;
 * Education, skills development and technology transfer / basic subsistence and unemployment rate statistics;
 * Water supply (drinking water, waste water/sewage, stemming of surface water (e.g. dikes and sluices));
 * Public health (hospitals, ambulances);
 * Transportation systems (fuel supply, railway network, airports, harbours, inland shipping);
 * Security services (police, military).
 * Electricity generation, transmission and distribution; (e.g. natural gas, fuel oil, coal, nuclear power)
 * Renewable energy, which are naturally replenished on a human timescale, such as sunlight, wind, rain, tides, waves, and geothermal heat.
 * Telecommunication; coordination for successful operations
 * Economic sector; Goods and services and financial services (banking, clearing);

Canada
The Canadian Federal Government identifies the following 10 Critical Infrastructure Sectors as a way to classify essential assets.
 * 1) Energy & Utilities: Electricity providers; off-shore/on-shore oil & gas; coal supplies, natural gas providers; home fuel oil; gas station supplies; alternative energy suppliers (wind, solar, other)
 * 2) Information and Communication Technology: Broadcast Media; telecommunication providers (landlines, cell phones, internet, wifi); Postal services;
 * 3) Finance: Banking services, government finance/aid departments; taxation
 * 4) Health: Public health & wellness programs, hospital/clinic facilities; blood & blood products
 * 5) Food: Food supply chains; food inspectors; import/export programs; grocery stores; Agri & Acqua culture; farmers markets
 * 6) Water: Water supply & protection; wastewater management; fisheries & ocean protection programs
 * 7) Transportation: Roads, bridges, railways, aviation/airports; shipping & ports; transit
 * 8) Safety: Emergency responders; public safety programs
 * 9) Government: Military; Continuity of governance
 * 10) Manufacturing: Industry, economic development

European Union
European Programme for Critical Infrastructure Protection (EPCIP) refers to the doctrine or specific programs created as a result of the European Commission's directive EU COM(2006) 786 which designates European critical infrastructure that, in case of fault, incident, or attack, could impact both the country where it is hosted and at least one other European Member State. Member states are obliged to adopt the 2006 directive into their national statutes.

It has proposed a list of European critical infrastructures based upon inputs by its member states. Each designated European Critical Infrastructures (ECI) will have to have an Operator Security Plan (OSP) covering the identification of important assets, a risk analysis based on major threat scenarios and the vulnerability of each asset, and the identification, selection and prioritisation of counter-measures and procedures.

Germany
The German critical-infrastructure protection programme KRITIS is coordinated by the Federal Ministry of the Interior. Some of its special agencies like the German Federal Office for Information Security or the Federal Office of Civil Protection and Disaster Assistance BBK deliver the respective content, e.g., about IT systems.

Singapore
In Singapore, critical infrastructures are mandated under the Protected Areas and Protected Places Act. In 2017, the Infrastructure Protection Act was passed in Parliament, which provides for the protection of certain areas, places and other premises in Singapore against security risks. It came into force in 2018.

United Kingdom
In the UK, the National Protective Security Authority (NPSA) provides information, personnel and physical security advice to the businesses and organizations which make up the UK's national infrastructure, helping to reduce its vulnerability to terrorism and other threats.

It can call on resources from other government departments and agencies, including MI5, the National Cyber Security Centre (NCSC) and other government departments responsible for national infrastructure sectors.

United States
The U.S. has had a wide-reaching critical infrastructure protection program in place since 1996. Its Patriot Act of 2001 defined critical infrastructure as those "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."

In 2014 the NIST Cybersecurity Framework was published, and quickly became a popular set of guidelines, despite the significant costs of full compliance.

These have identified a number of critical infrastructures and responsible agencies:


 * 1) Agriculture and food – Departments of Agriculture and Health and Human Services
 * 2) Water – Environmental Protection Agency
 * 3) Public Health – Department of Health and Human Services
 * 4) Emergency Services – Department of Homeland Security
 * 5) Government – Department of Homeland Security
 * 6) Defense Industrial Base – Department of Defense
 * 7) Information and Telecommunications – Department of Commerce
 * 8) Energy – Department of Energy
 * 9) Transportation and Shipping – Department of Transportation
 * 10) Banking and Finance – Department of the Treasury
 * 11) Chemical Industry and Hazardous Materials – Department of Homeland Security
 * 12) Post  – Department of Homeland Security
 * 13) National monuments and icons - Department of the Interior
 * 14) Critical manufacturing - Department of Homeland Security (14th sector announced March 3, 2008; recorded April 30, 2008)

National Infrastructure Protection Plan
The National Infrastructure Protection Plan (NIPP) defines critical infrastructure sector in the US. Presidential Policy Directive 21 (PPD-21), issued in February 2013 entitled Critical Infrastructure Security and Resilience mandated an update to the NIPP. This revision of the plan established the following 16 critical infrastructure sectors:


 * 1) Chemical
 * 2) Commercial facilities
 * 3) Communications
 * 4) Critical manufacturing
 * 5) Dams
 * 6) Defense industrial base
 * 7) Emergency services
 * 8) Energy
 * 9) Financial services
 * 10) Food and agriculture
 * 11) Government facilities
 * 12) Healthcare and public health
 * 13) Information technology
 * 14) Nuclear reactors, materials, and waste
 * 15) Transportation systems
 * 16) Water and wastewater systems

National Monuments and Icons along with the postal and shipping sector were removed in 2013 update to the NIPP. The 2013 version of the NIPP has faced criticism for lacking viable risk measures. The plan assigns the following agencies sector-specific coordination responsibilities:


 * Department of Homeland Security
 * Chemical
 * Commercial facilities
 * Communications
 * Critical manufacturing
 * Dams
 * Emergency services
 * Government facilities (jointly with General Services Administration)
 * Information technology
 * Nuclear reactors, materials, and waste
 * Transportation systems (jointly with Department of Transportation)


 * Department of Defense
 * Defense industrial base


 * Department of Energy
 * Energy


 * Department of the Treasury
 * Financial services


 * Department of Agriculture
 * Food and agriculture


 * General Services Administration
 * Government facilities (jointly with Department of Homeland Security)


 * Department of Health and Human Services
 * Healthcare and Public Health


 * Department of Transportation
 * Transportation systems (jointly with Department of Homeland Security)


 * Environmental Protection Agency
 * Water and wastewater systems

State-level legislation
Several U.S. states have passed "critical infrastructure" bills, promoted by the American Legislative Exchange Council (ALEC), to criminalize protests against the fossil fuel industry. In May 2017, Oklahoma passed legislation which created felony penalties for trespassing on land considered critical infrastructure, including oil and gas pipelines, or conspiring to do so; ALEC introduced a version of the bill as a model act and encouraged other states to adopt it. In June 2020, West Virginia passed the Critical Infrastructure Protection Act, which created felony penalties for protests against oil and gas facilities.

Stress testing
Critical infrastructure (CI) such as highways, railways, electric power networks, dams, port facilities, major gas pipelines or oil refineries are exposed to multiple natural and human-induced hazards and stressors, including earthquakes, landslides, floods, tsunami, wildfires, climate change effects or explosions. These stressors and abrupt events can cause failures and losses, and hence, can interrupt essential services for the society and the economy. Therefore, CI owners and operators need to identify and quantify the risks posed by the CIs due to different stressors, in order to define mitigation strategies and improve the resilience of the CIs. Stress tests are advanced and standardised tools for hazard and risk assessment of CIs, that include both low-probability high-consequence (LP-HC) events and so-called extreme or rare events, as well as the systematic application of these new tools to classes of CI.

Stress testing is the process of assessing the ability of a CI to maintain a certain level of functionality under unfavourable conditions, while stress tests consider LP-HC events, which are not always accounted for in the design and risk assessment procedures, commonly adopted by public authorities or industrial stakeholders. A multilevel stress test methodology for CI has been developed in the framework of the European research project STREST, consisting of four phases:

Phase 1: Preassessment, during which the data available on the CI (risk context) and on the phenomena of interest (hazard context) are collected. The goal and objectives, the time frame, the stress test level and the total costs of the stress test are defined.

Phase 2: Assessment, during which the stress test at the component and the system scope is performed, including fragility and risk analysis of the CIs for the stressors defined in Phase 1. The stress test can result in three outcomes: Pass, Partly Pass and Fail, based on the comparison of the quantified risks to acceptable risk exposure levels and a penalty system.

Phase 3: Decision, during which the results of the stress test are analyzed according to the goal and objectives defined in Phase 1. Critical events (events that most likely cause the exceedance of a given level of loss) and risk mitigation strategies are identified.

Phase 4: Report, during which the stress test outcome and risk mitigation guidelines based on the findings established in Phase 3 are formulated and presented to the stakeholders.

This stress-testing methodology has been demonstrated to six CIs in Europe at component and system level: an oil refinery and petrochemical plant in Milazzo, Italy; a conceptual alpine earth-fill dam in Switzerland; the Baku–Tbilisi–Ceyhan pipeline in Turkey; part of the Gasunie national gas storage and distribution network in the Netherlands; the port infrastructure of Thessaloniki, Greece; and an industrial district in the region of Tuscany, Italy. The outcome of the stress testing included the definition of critical components and events and risk mitigation strategies, which are formulated and reported to stakeholders.